Simplify compliance and reduce risk with Microsoft Compliance Score

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

More than half of risk management decision makers state that IT and cybersecurity risks are their biggest concern[1]. Amid all the challenges in risk management, identifying and assessing risks continue to be the most time-consuming tasks[2]. Many companies rely on manual and point-in-time assessments like annual auditing, which can quickly go out of date and expose companies to unidentified risks between audits. It’s more important than ever to equip IT professionals with the knowledge and tools to work across compliance and risk teams to effectively assess and monitor risks.

We are excited to announce the public preview of Microsoft Compliance Score, which helps you simplify compliance and reduce risks. Even if you are not an expert in complex regulations like GDPR, you can still quickly learn the actions recommended to help you progress toward compliance.

With Microsoft Compliance Score, you can now continuously assess and monitor data protection controls, get recommendations on how to reduce compliance risks, and leverage the built-in control mapping to scale your compliance effort across global, industrial, and regional regulations and standards.

Continuously assess and monitor controls with a risk-based score

Microsoft Compliance Score can scan through your Microsoft 365 environments and detect your system settings, continuously and automatically updating your technical control status[3]. For example, if you configured a compliance policy for Windows devices in the Azure AD portal, Microsoft Compliance Score can detect the setting and reflect that in the control details. Conversely, if you have not created the policy, Microsoft Compliance Score can flag that as a recommended action for you to take. With the ongoing control assessment, you can now proactively maintain compliance, instead of reactively fixing settings following an audit.

Microsoft Compliance Score provides you with improvement actions in different areas, such as information protection, information governance, device management, and more. This allows you to easily understand the contribution you are making towards organizational compliance by category. Each recommended action has a different impact on your score, depending on the potential risk involved, so you can prioritize important actions accordingly.

Score breakdown by category helps you identify categories that need more immediate attention.

Risk managers and compliance professionals can assess controls using the assessments view, which shows you the scores of GDPR, ISO 27001, ISO 27018, NIST CSF, NIST 800-53, HIPAA, FFIEC, and more. To help you better prepare for new waves of privacy regulations coming in 2020, we have released the new California Consumer Privacy Act (CCPA) assessment. Microsoft Compliance Score helps make connections between each regulatory requirement and the solutions that can help you enhance your controls, thus increasing your overall score.

With more than 220 updates every day from 1,000 regulatory bodies around the world, it’s overwhelming for organizations to keep up to date with the evolving compliance landscape. At Microsoft, we have a team of subject matter experts building out and maintaining a common control framework to scale our compliance effort. We are sharing this knowledge by building it into Microsoft 365 so you can scale your compliance program across global, industrial, and regional regulations and standards. With the built-in control mapping in Microsoft Compliance Score, when you implement one common control, the status and the evidence of the control will be automatically synchronized to the same control in other assessments, helping you reduce duplicate work.

Compliance Score is a risk-based score that helps you simplify and automate risk assessments and provides recommendations to help you address risks. It does not express an absolute measure of organizational compliance with any particular standard or regulation. It expresses the extent to which you have adopted controls which can reduce the risks to personal data and individual privacy. Compliance Score should not be interpreted as a guarantee in any way.

[3] Note that this functionality is currently available to part of the technical actions. Over the next few months, we will continue integrating more solutions to automate additional control assessments.